vault-provision 0.1.7 → 0.1.8
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.rubocop.yml +2 -0
- data/Gemfile.lock +2 -2
- data/VERSION +1 -1
- data/examples/basic/secret/bar/bad.json +4 -0
- data/examples/basic/secret/baz/yummy.json +4 -0
- data/examples/basic/secret/foo/good.json +4 -0
- data/lib/vault/provision/pki/config/{crl.json → crl.rb} +1 -1
- data/lib/vault/provision/pki/config/urls.rb +2 -1
- data/lib/vault/provision/pki/config.rb +1 -0
- data/lib/vault/provision/pki/intermediate/generate/internal.rb +2 -9
- data/lib/vault/provision/pki/roles.rb +2 -10
- data/lib/vault/provision/pki/root/generate/internal.rb +2 -9
- data/lib/vault/provision/prototype.rb +16 -0
- data/lib/vault/provision/secret.rb +19 -0
- data/lib/vault/provision.rb +2 -2
- data/spec/vault_provision_spec.rb +17 -0
- metadata +9 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 2b899b07ba3632b5568363ad5dd4f0c446eb3c19
|
4
|
+
data.tar.gz: b88d77a6a1fd6848022025963a9be18390afe997
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: fe576f3c3c977abce9e97da0181d3fb948c057791f18b12c470cc1f82b61e3519af167389139eadf6ffea144cf1c98ffa11824dfe1606d3af9c040443f94e7c2
|
7
|
+
data.tar.gz: 63b14e18917b623d5e448ed4524c887199a6757bafa9be2184a5309e070dc5eda386e63428d8f4ea666fbb87dbd8b7f3aa8fd0074616ede502bfc0d65e89e23e
|
data/.rubocop.yml
ADDED
data/Gemfile.lock
CHANGED
@@ -4,7 +4,7 @@ PATH
|
|
4
4
|
vault-provision (0.1.7)
|
5
5
|
activesupport (~> 5.0, >= 5.0.2)
|
6
6
|
rhcl (~> 0.1.0)
|
7
|
-
vault (~> 0.
|
7
|
+
vault (~> 0.10)
|
8
8
|
|
9
9
|
GEM
|
10
10
|
remote: https://rubygems.org/
|
@@ -49,7 +49,7 @@ DEPENDENCIES
|
|
49
49
|
rhcl (~> 0.1.0)
|
50
50
|
rspec (~> 3.5.0)
|
51
51
|
rspec-core (~> 3.5.4)
|
52
|
-
vault (~> 0.10
|
52
|
+
vault (~> 0.10)
|
53
53
|
vault-provision!
|
54
54
|
|
55
55
|
BUNDLED WITH
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
0.1.
|
1
|
+
0.1.8
|
@@ -15,8 +15,9 @@ class Vault::Provision::Pki::Config::Urls < Vault::Provision::Prototype
|
|
15
15
|
end
|
16
16
|
|
17
17
|
def provision!
|
18
|
-
|
18
|
+
repo_files_by_mount_type('pki').each do |rf|
|
19
19
|
mount_point = rf.split('/')[-3]
|
20
|
+
next unless FileTest.file?(urls_file(mount_point))
|
20
21
|
@vault.post "v1/#{mount_point}/config/urls", File.read(rf)
|
21
22
|
end
|
22
23
|
end
|
@@ -6,17 +6,10 @@ class Vault::Provision::Pki::Intermediate::Generate::Internal < Vault::Provision
|
|
6
6
|
"#{@instance_dir}/#{mount_point}/intermediate/generate/internal.json"
|
7
7
|
end
|
8
8
|
|
9
|
-
def repo_files
|
10
|
-
mounts = @vault.sys.mounts
|
11
|
-
generators = mounts.keys.select do |mp|
|
12
|
-
mounts[mp].type == 'pki' && FileTest.file?(gen_file(mp))
|
13
|
-
end
|
14
|
-
generators.map { |mp| gen_file(mp) }
|
15
|
-
end
|
16
|
-
|
17
9
|
def provision!
|
18
|
-
|
10
|
+
repo_files_by_mount_type('pki').each do |rf|
|
19
11
|
mount_point = rf.split('/')[-4]
|
12
|
+
next unless FileTest.file?(gen_file(mount_point))
|
20
13
|
next if generated? mount_point
|
21
14
|
next unless @pki_allow_destructive
|
22
15
|
resp = @vault.post "v1/#{mount_point}/intermediate/generate/internal",
|
@@ -3,22 +3,14 @@ class Vault::Provision::Pki::Roles < Vault::Provision::Prototype
|
|
3
3
|
include Vault::Provision::Pki
|
4
4
|
|
5
5
|
def repo_files
|
6
|
-
|
7
|
-
pki_mounts = mounts.keys.select { |mp| mounts[mp].type == 'pki' }
|
8
|
-
roles = []
|
9
|
-
pki_mounts.each do |mp|
|
10
|
-
Find.find("#{@instance_dir}/#{mp}/roles/").each do |rf|
|
11
|
-
next unless rf.end_with? '.json'
|
12
|
-
roles << rf
|
13
|
-
end
|
14
|
-
end
|
15
|
-
roles
|
6
|
+
repo_files_by_mount_type('pki').select { |rf| rf.split('/')[-2] == 'roles' }
|
16
7
|
end
|
17
8
|
|
18
9
|
def provision!
|
19
10
|
repo_files.each do |rf|
|
20
11
|
mount_point = rf.split('/')[-3]
|
21
12
|
role_name = File.basename(rf, '.json')
|
13
|
+
puts " * #{role_name}"
|
22
14
|
@vault.post "v1/#{mount_point}/roles/#{role_name}", File.read(rf)
|
23
15
|
end
|
24
16
|
end
|
@@ -6,17 +6,10 @@ class Vault::Provision::Pki::Root::Generate::Internal < Vault::Provision::Protot
|
|
6
6
|
"#{@instance_dir}/#{mount_point}/root/generate/internal.json"
|
7
7
|
end
|
8
8
|
|
9
|
-
def repo_files
|
10
|
-
mounts = @vault.sys.mounts
|
11
|
-
generators = mounts.keys.select do |mp|
|
12
|
-
mounts[mp].type == 'pki' && FileTest.file?(gen_file(mp))
|
13
|
-
end
|
14
|
-
generators.map { |mp| gen_file(mp) }
|
15
|
-
end
|
16
|
-
|
17
9
|
def provision!
|
18
|
-
|
10
|
+
repo_files_by_mount_type('pki').each do |rf|
|
19
11
|
mount_point = rf.split('/')[-4]
|
12
|
+
next unless FileTest.file?(gen_file(mount_point))
|
20
13
|
next if generated? mount_point
|
21
14
|
next unless @pki_allow_destructive
|
22
15
|
@vault.post "v1/#{mount_point}/root/generate/internal", File.read(rf)
|
@@ -24,6 +24,22 @@ class Vault::Provision::Prototype
|
|
24
24
|
Find.find(repo_path).select { |rf| rf.end_with?('.json') }
|
25
25
|
end
|
26
26
|
|
27
|
+
def repo_files_by_mount_type type
|
28
|
+
mounts = @vault.sys.mounts
|
29
|
+
my_mounts = mounts.keys.select { |mp| mounts[mp].type == type }
|
30
|
+
|
31
|
+
files = []
|
32
|
+
my_mounts.each do |mp|
|
33
|
+
next unless Dir.exist? "#{@instance_dir}/#{mp}"
|
34
|
+
Find.find("#{@instance_dir}/#{mp}").each do |rf|
|
35
|
+
next unless rf.end_with? '.json'
|
36
|
+
files << rf
|
37
|
+
end
|
38
|
+
end
|
39
|
+
files
|
40
|
+
end
|
41
|
+
|
42
|
+
|
27
43
|
def provision!
|
28
44
|
puts "#{self.class} says: Go climb a tree!"
|
29
45
|
end
|
@@ -0,0 +1,19 @@
|
|
1
|
+
# Generic secret (k/v pairs) backend provisioning
|
2
|
+
#
|
3
|
+
# WARNING: Use of this module will inevitably lead you down
|
4
|
+
# the path of commiting secrets into repositories. Sometimes,
|
5
|
+
# that's ok! For example, consider using Vault's generic backend
|
6
|
+
# to store non-secret data, like a set of public certificates
|
7
|
+
# (but not their private keys).
|
8
|
+
# https://www.vaultproject.io/api/secret/generic/index.html
|
9
|
+
class Vault::Provision::Secret < Vault::Provision::Prototype
|
10
|
+
def provision!
|
11
|
+
repo_files_by_mount_type('generic').each do |rf|
|
12
|
+
validate_file! rf
|
13
|
+
kv_path = rf.sub(/\A#{@instance_dir}/, '').sub(/.json\z/, '')
|
14
|
+
|
15
|
+
puts " * #{kv_path}"
|
16
|
+
@vault.post "v1/#{kv_path}", File.read(rf)
|
17
|
+
end
|
18
|
+
end
|
19
|
+
end
|
data/lib/vault/provision.rb
CHANGED
@@ -7,7 +7,7 @@ require 'vault/provision/prototype'
|
|
7
7
|
require 'vault/provision/auth'
|
8
8
|
require 'vault/provision/sys'
|
9
9
|
require 'vault/provision/pki'
|
10
|
-
require 'vault/provision/
|
10
|
+
require 'vault/provision/secret'
|
11
11
|
|
12
12
|
# controller for the children
|
13
13
|
class Vault::Provision
|
@@ -34,7 +34,7 @@ class Vault::Provision
|
|
34
34
|
Pki::Intermediate::Generate::Internal,
|
35
35
|
Pki::Config::Urls,
|
36
36
|
Pki::Roles,
|
37
|
-
|
37
|
+
Secret,
|
38
38
|
Sys::Policy,
|
39
39
|
Auth::Ldap::Groups,
|
40
40
|
Auth::Approle
|
@@ -94,4 +94,21 @@ describe Vault::Provision do
|
|
94
94
|
expect(resp[:data]).to be
|
95
95
|
expect(resp[:data][:role_id]).to be == 'robert_paulson'
|
96
96
|
end
|
97
|
+
|
98
|
+
it "can provision generic k/v pairs" do
|
99
|
+
good = client.get('v1/secret/foo/good')
|
100
|
+
expect(good[:data]).to be
|
101
|
+
expect(good[:data][:whiskers]).to be == 'on kittens'
|
102
|
+
|
103
|
+
bad = client.get('v1/secret/bar/bad')
|
104
|
+
expect(bad[:data][:'😡']).to be \
|
105
|
+
== 'How I feel when people put secrets in source code.'
|
106
|
+
expect(bad[:data][:'😀']).to be \
|
107
|
+
== 'How I feel when people put non-secret config data in k/v stores with decent access control policies'
|
108
|
+
|
109
|
+
yummy = client.get('v1/secret/baz/yummy')
|
110
|
+
|
111
|
+
expect(yummy[:data]).to be
|
112
|
+
expect(yummy[:data][:bear]).to be == '🐻 rawr!'
|
113
|
+
end
|
97
114
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: vault-provision
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.1.
|
4
|
+
version: 0.1.8
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Tom Maher
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-06-
|
11
|
+
date: 2017-06-22 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|
@@ -93,6 +93,7 @@ extensions: []
|
|
93
93
|
extra_rdoc_files: []
|
94
94
|
files:
|
95
95
|
- ".gitignore"
|
96
|
+
- ".rubocop.yml"
|
96
97
|
- Gemfile
|
97
98
|
- Gemfile.lock
|
98
99
|
- README.md
|
@@ -122,6 +123,9 @@ files:
|
|
122
123
|
- examples/basic/pki-root/roles/.keep
|
123
124
|
- examples/basic/pki-root/roles/unlimited.json
|
124
125
|
- examples/basic/pki-root/root/generate/internal.json
|
126
|
+
- examples/basic/secret/bar/bad.json
|
127
|
+
- examples/basic/secret/baz/yummy.json
|
128
|
+
- examples/basic/secret/foo/good.json
|
125
129
|
- examples/basic/sys/auth.json
|
126
130
|
- examples/basic/sys/auth/.keep
|
127
131
|
- examples/basic/sys/auth/approle.json
|
@@ -153,7 +157,7 @@ files:
|
|
153
157
|
- lib/vault/provision/generic.rb
|
154
158
|
- lib/vault/provision/pki.rb
|
155
159
|
- lib/vault/provision/pki/config.rb
|
156
|
-
- lib/vault/provision/pki/config/crl.
|
160
|
+
- lib/vault/provision/pki/config/crl.rb
|
157
161
|
- lib/vault/provision/pki/config/urls.rb
|
158
162
|
- lib/vault/provision/pki/intermediate.rb
|
159
163
|
- lib/vault/provision/pki/intermediate/generate.rb
|
@@ -165,6 +169,7 @@ files:
|
|
165
169
|
- lib/vault/provision/pki/root/generate/exported.rb
|
166
170
|
- lib/vault/provision/pki/root/generate/internal.rb
|
167
171
|
- lib/vault/provision/prototype.rb
|
172
|
+
- lib/vault/provision/secret.rb
|
168
173
|
- lib/vault/provision/sys.rb
|
169
174
|
- lib/vault/provision/sys/auth.rb
|
170
175
|
- lib/vault/provision/sys/policy.rb
|
@@ -192,7 +197,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
192
197
|
version: '0'
|
193
198
|
requirements: []
|
194
199
|
rubyforge_project:
|
195
|
-
rubygems_version: 2.6.
|
200
|
+
rubygems_version: 2.6.11
|
196
201
|
signing_key:
|
197
202
|
specification_version: 4
|
198
203
|
summary: Provisioning utility for HashiCorp's Vault
|